Pirates Make Off With Mac App Store Booty

The Mac App Store's smooth operations have been marred by a gang of pirates who found a way to manipulate receipts. "The problem highlights the importance of having strong processes as apps become more granular and have the opportunity of developing a broad usage base through app stores," said Al Hilwa, a program director at IDC.

Yo Ho Ho and a Bottle of Rum!

A hacker using that old standby nom de plume "Anonymous" posted instructions on how to hack the "Angry Birds" game Thursday afternoon -- only hours after Apple had opened the Mac App Store.

The hack basically involves copying receipts from the Applications folder in the latest version of Snow Leopard into any app downloaded from the Mac App Store. The latest version of Snow Leopard, 10.6.6, includes the Mac App Store.

This technique apparently works because "Angry Birds" doesn't validate receipts correctly, according to
Daring Fireball blogger John Gruber.

While "Angry Birds" checks for a valid receipt, it doesn't check to see that the bundle ID for the receipt matches its own bundle ID, Gruber said.

"The problem highlights the importance of having strong processes as apps become more granular and have the opportunity of developing a broad usage base through app stores," Al Hilwa, a program director at IDC, told MacNewsWorld.

Apple did not respond to MacNewsWorld's requests for comment by press time.

One reason for putting DRM in developers' hands was to enable people who offer free apps to push their products, noted Christmann.

"If someone creates a free app he may want people to distribute it freely, so he may not want DRM," he explained. "There's a lot of free apps developers who don't want any DRM at all to touch their code."

Another reason may have been, ironically, to improve security.

"If Apple implemented full end-to-end DRM itself, that would be a single point of failure for a hacker to make an automated tool that could crack security," Christmann pointed out. "But, if developers each do their own receipt validation on their own, there's no single point of failure, so hackers can't create an automated tool to attack security."

What Simon Says May not Work

Finally, Apple was trying to make it easier for developers to follow its DRM rules.

"Most developers don't know this sort of stuff, so their inclination is to do what they're told or to find code and copy it into their apps," Christmann elaborated.

Apple's documentation on DRM is "very complex," he said, so the vendor tried to simplify things by suggesting developers read identifiers for apps from their Info P list.

However, the Info P list is an XML file that can easily be read and modified with a text editor, and that's what let the pirates in, noted Christmann.

Where the Buck Stops

Developers need to learn how to implement security and DRM, Christmann suggested.

"There's nothing broken in Apple's implementation, although they could update the language in their documentation and perhaps test this attack vector when people upload their apps to the Mac App Store," he said.

"The flaw is in the developer's implementation and the fix is entirely on the developer's side," Christmann added.

"It appears that at least some of the affected developers didn't follow Apple's explicit directions, which consist of five steps, so the company could rightfully claim that it isn't entirely to blame," Charles King, principal at Pund-IT, told MacNewsWorld.

Perhaps developers should hard-code their identifiers and version numbers instead of reading them off the P list, Christmann said.

The Mac App Store's newness could be partly to blame for its vulnerability to piracy, IDC's Hilwa suggested.

"Teething pains are par for the course for a new venture like this," he pointed out. "I'm sure Apple will lick this problem in the end."

However, solving the problem may cost more than seems worthwhile, at least in the short run.

"The problem is how to combine effective validation and due diligence in a way that isn't onerous for developers and is cost-effective for Apple," said King. "That's a significant challenge when you're dealing with products that sell for a few bucks a copy."